INFORMATION ABOUT DATA PROTECTION AT OTOKAR EUROPE
#1 – PURPOSE OF THIS DOCUMENT
The purpose of this policy (hereinafter "Policy") is to inform you about the processing of your Personal Data by OTOKAR Europe SAS, registered under the number 534 167 796 in the Pontoise Register of Trade & Companies (hereinafter referred to as "Otokar Europe" and/or "We").
#2 - WHO IS THE CONTROLLER OF PROCESSING OPERATIONS ON YOUR DATA?
Otokar Europe imports and distributes Otokar public service vehicles and spare parts for those vehicles through its network of distributors in France and Europe. As part of its activities, Otokar Europe authorises and obliges the approved distributors, service locations and repairers who are members of its network (hereafter referred to as "Otokar Europe Partners") to offer support and customer service in technical and non-technical fields to existing and potential customers.
Otokar Europe also manages the www.otokareurope.com website, while promoting the Otokar brand in France and Europe.
Unless otherwise stated, Otokar Europe Partners are legally and financially independent companies and are not part of Otokar Europe. They use the Otokar brand in their capacity as licensees authorised to sell public service vehicles, OEM parts and maintenance and repair services under said brand.
Pursuant to the General Data Protection Regulation ("GDPR"), Otokar Europe is the data controller for all of your Personal Data processed through the aforementioned website, your MyOtokar app and your correspondence with the Otokar After-Sales Department (hereafter referred to collectively as Otokar Europe "Customer Service"), and as part of electronic or postal direct marketing actions.
Otokar Europe may also process your data where they are transferred to Otokar Europe by Otokar Europe Partners, in accordance with the legal requirements relating to data protection. The Otokar Europe Partners are, in turn, data controllers of the Personal Data that you supply to them as part of the sales activities and services that they offer (repairs, servicing, etc.).
The Otokar Europe Partners also process your data when they are transferred by Otokar Europe, in accordance with the applicable regulations. This data protection information also describes some of the processing performed by Otokar Europe, but is not exhaustive. In fact, the Otokar Europe Partners may collect other Personal Data referred to in their own data protection information documents. In this case, you can approach those Otokar Europe Partners to find out how they use your Personal Data.
#3 – WHEN DOES OTOKAR EUROPE COLLECT AND USE THE PERSONAL DATA?
Otokar Europe collects and processes your Personal Data in the following situations in particular:
- When you contact us directly (through our website or the Otokar Europe Sales Department, for example), for questions relating to our products and services, or other questions;
- When you purchase an Otokar vehicle;
- When you subscribe to services (MyOtokar app, etc.) from Otokar Europe;
- When you request information from us about our vehicles and services (sending brochures, for example);
- When you respond to our marketing actions (for example sending an email or communicating your data on our website (www.otokareurope.com);
- When third parties or Otokar Europe Partners transmit your Personal Data to us, in accordance with current regulations (for example, you have given your consent or have not objected to the transmission of your data to Otokar Europe having been informed of your right to object, for customer management purposes (e.g. to identify you if you contact the Otokar Europe After-Sales Department);
- When data relating to your vehicle (including the chassis number) are transmitted to us as part of services and maintenance/repairs performed by Otokar Europe Partners;
- When third parties (approved address providers, for example) are lawfully entitled to transmit your Personal Data to us.
So that we can keep your Personal Data up to date, please inform us of any changes in this regard, particularly relating to your contact details.
#4 – WHAT PERSONAL DATA DO WE COLLECT?
The categories of Personal Data that Otokar Europe may collect through the various services and communication channels described in the data protection information are as follows:
- Contact data: surname, first name, company name, address, telephone number, e-mail address.
- Other Personal Data: information that you have provided regarding, for example, your position in your company, etc.
- Contractual data: for example, customer number, contract number, Otokar services subscribed to.
- Current and/or preferred Otokar dealer.
- Identification data, in particular: customer number and contract number.
- Customer history, in particular: data relating to the purchase of the Otokar vehicle (model, configuration, purchase date, date of first registration, purchase order date, delivery date, owner, etc.).
- History of campaigns and responses (Customer Service scheme – current and potential customers – and direct marketing actions).
- Attendance at trade shows and/or events.
- History of questions and claims directed at the Otokar Europe After-Sales Department.
- Data from apps/websites/social networks.
- Online account data: information about your accounts associated with MyOtokar, for example.
- Data about transactions and interactions: information relating to purchases of products and services, interactions with Otokar Europe Customer Service (requests, claims) and Otokar Europe Partners, and your participation in quality and/or satisfaction surveys.
- Use of Otokar services and apps: information relating to your use of the Otokar app (on your mobile device) and the MyOtokar services.
- Technical vehicle data: any data created and/or processed in the vehicle.
- Vehicle chassis number and other corresponding characteristics.
#5 – WHAT IS THE PURPOSE OF THE PROCESSING OF YOUR DATA BY OTOKAR EUROPE?
Otokar Europe only processes your data if such processing is permitted by the applicable regulations. In particular, we process your data in accordance with the GDPR in the following situations:
- Otokar Europe and its approved dealer and service location partners use your Personal Data to manage contracts (for example vehicle orders, repair/workshop orders, subscriptions to Otokar services) or any request made by you (for example offers, tests). This processing is necessary in order to perform contracts or to manage your requests. With regard to requests by you, Otokar Europe may contact you in order to deal with your request.
- Otokar Europe might also need to contact you if your Otokar vehicle is subject to a service or recall campaign. If necessary, given the highly important nature of such campaigns (preventing risk to the vehicle's passengers, damage to the vehicle, etc.), Otokar Europe will contact you either directly or through one of its approved dealers or service locations, using the contact details that you have given us, in order to comply with its legal obligation to inform.
- In addition, Otokar Europe may also contact you, in carefully defined situations, for marketing or sales purposes; particularly in connection with its legitimate interest in improving knowledge of its customers and developing its customer base. You may therefore be contacted, for example:
- during sales prospecting operations (product and service offers, etc.);
- in a personalised way based on your customer profile;
- for satisfaction surveys;
- to inform you of the end of a warranty or service contract;
- to make you an offer relating to your vehicle (testing, etc.).
Otokar Europe undertakes, if applicable, to issue these communications in accordance with the legal requirements relating to data protection and to obtain your express consent in advance where required by law.
Otokar Europe also processes your Personal Data in order to provide you with the best possible experience of its various services (by identifying you correctly at all points of contact, for example).
These Personal Data are necessary for the management of Otokar Europe's activities. Failure to provide these Data or refusing their collection will make it difficult or impossible for Otokar Europe to manage its activities.
#6 – WHO HAS ACCESS TO YOUR PERSONAL DATA?
Otokar Europe undertakes to maintain the confidentiality of your Personal Data and to comply with all legal requirements regarding the sharing and disclosure of Personal Data. In this regard, your Personal Data will only be accessible by a limited list of recipients, depending on their needs and on a case-by-case basis.
In particular, Otokar Europe may transmit data to the following recipients:
- Otokar Europe employees who work in the departments responsible for processing Personal Data within the scope of their duties (e.g. marketing department; sales department; etc.) [add others if necessary];
- Partner companies and public authorities that are entitled to receive your data.
- Service providers acting on behalf of Otokar Europe (e.g. in order to send newsletters) who may also have access to your Personal Data.
The transmission of data, in complete accordance with the applicable Personal Data protection regulations, to carefully selected service providers and partners with whom we cooperate to offer you products and services. We only perform this transfer in strict compliance with the conditions governing processing by a processor set out in the GDPR. One of our IT service providers is located outside of the European Economic Area. This transfer is covered by the Standard Contractual Clauses.
Please note that we only share your Personal Data where said recipients have a legitimate need to access it.
#7 – HOW DOES OTOKAR EUROPE PROTECT YOUR PERSONAL DATA?
Otokar Europe and, if applicable, its duly selected partner processors, implement several security measures such as cutting-edge encryption and authentication tools to protect and preserve the security, integrity and availability of your data. While it is impossible to guarantee absolute security against unauthorised access during the transfer of data over the Internet or on a website, Otokar Europe, its service providers and partners do all they can to protect your Personal Data in accordance with the applicable data protection regulations, by implementing cutting-edge physical, electronic and process-oriented security measures. The measures applied include the following:
- Strict criteria for authorising access to your data on a "need to know" basis (restricted to as few people as possible) and solely for the intended purposes.
- Transfer of the data collected in encrypted form in the majority of cases.
- Firewall protection of computer systems to protect them against unauthorised access, by hackers for example.
- Constant monitoring of access to computer systems to detect and prevent the misuse of Personal Data.
If you receive a password from Otokar Europe or if you have chosen one yourself to access certain services, areas of our website or other portals or apps offered by our brand, you are responsible for keeping said password confidential and complying with all other security procedures of which you are informed. We particularly ask that you never disclose your password.
#8 – HOW LONG DO WE STORE YOUR DATA FOR?
We only store your data for the period necessary for the purposes for which we process them.
If data are processed for different purposes, your data are automatically erased, or stored in a format that no longer makes it possible to identify you, as soon as the last task and specific purpose has been fulfilled.
To guarantee that all of your data are erased in accordance with the principle of data minimisation and GDPR Article 17, Otokar Europe is implementing an internal erasure process based on the fundamental principles described below.
Use for the purposes of compliance with a contract
In order to fulfil contractual obligations, the data collected from you may be stored for the entire term of the contract and, depending on the nature and scope of the contract, for a specified period after such term in order to fulfil the applicable storage obligations and enable us to respond to any questions or claims arising after the term of the contract. In addition, some product and service supply contracts require a longer storage period; see also "Use for assessing claims" below.
Use for assessing claims
Data that, according to Otokar Europe, are necessary for assessing and avoiding claims against us or for bringing criminal proceedings or making claims against you, against us or against any third party, may be stored by us for the entire period during which the corresponding proceedings may be brought, in accordance with the applicable statutory limitation periods.
Use for Customer Service and marketing purposes
For both Customer Service and sales prospecting purposes, the data collected from you may be stored for three years following the end of any commercial relationship, unless you request that they be erased and provided that there is no contractual or legal storage obligation that prevents the fulfilment of said request.
#9 – YOUR RIGHTS RELATING TO THE PROTECTION OF YOUR DATA
As the data subject concerned by the processing of your data, you are entitled to exercise certain rights set out by the GDPR and other applicable data protection regulations, including the following:
Right to access your data (GDPR - Art. 15):
You can request access to your Personal Data stored by Otokar Europe at any time. This information includes the categories of data we process, the purposes of the processing, the source of the data when we have not collected them directly from you and, if applicable, the recipients to whom we disclose your data. You may receive a copy of your data free of charge on request. We reserve the right to invoice any requests for additional copies.
Right to rectification (GDPR - Art. 16):
You may request that Otokar Europe rectify the Personal Data concerning you. We take all reasonable action to keep the data that we hold about you up to date, and we process them lawfully, accurately, fully, in their updated form and relevantly on the basis of the most up-to-date information available to us.
Right to be forgotten (GDPR - Art. 17):
You may request the erasure of your data provided that the above legal prerequisites have been satisfied:
- The data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- You withdraw your consent, where there is no other legal ground for the processing of the data,
- You object to the processing of your data and there are no overriding legitimate grounds for the processing, or you object to the processing of your data for prospecting purposes,
- The data have been unlawfully processed.
Unless the processing is necessary:
- For compliance with a legal obligation that requires that we store and process your data, subject to application of the storage periods required by the applicable regulations,
- For the establishment, exercise or defence of legal claims.
Right to restriction of processing (GDPR – Art. 18):
You may request the restriction of processing of your data in the following cases:
• You contest the accuracy of the data. The subsequent processing of the data is restricted for a period enabling verification of the accuracy thereof.
• The processing is unlawful and you oppose the erasure of your data. You request the restriction of their use instead.
• Otokar Europe no longer needs your data, but you require them for the establishment, exercise or defence of legal claims.
• You have objected to the processing pending verification of whether the legitimate grounds of Otokar Europe prevail over yours.
Right to data portability (GDPR - Art. 20):
You may request that your Personal Data be transmitted to another data controller where technically feasible. However, you are only granted this right if the processing of the data is based on your consent or necessary for the performance of a contract. Instead of receiving a copy of your data, you can also request that Otokar Europe transmit them directly to another controller designated by you.
Right to object (GDPR - Art. 21):
You have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data for the purposes of the legitimate interests of Otokar Europe or a third party. In this case, we will no longer process said data. This provision does not apply if we can demonstrate compelling legitimate grounds for the processing which override your interests or if we need your data for the establishment, exercise or defence of legal claims.
What happens to your data after your death (French Data Protection Act no. 78-17 of 6 January 1978, Art. 32):
You also have the right to give instructions regarding what happens to your Personal Data after your death.
Response times following the exercising of the rights set out above:
We strive to respond to all requests within thirty days.
However, this may take longer for reasons relating to the complexity of your request and the number of requests received.
When we do not transmit your data:
In some situations, Otokar Europe might be unable to transmit all of your data due to a legal obligation. In this case, if we refuse your request, we will tell you the reason for refusal immediately.
Recourse to the competent authorities:
Otokar Europe takes your rights and concerns very seriously. However, if you feel that we have not responded to your claims, you are entitled to appeal to the competent data protection authority (in France, the National Commission for Information Technology and Civil Liberties (CNIL)).
#10 – CONTACTING US ABOUT YOUR PERSONAL DATA
For any questions about our use of your Personal Data, please contact an officer:
- By e-mail: firstname.lastname@example.org
- By post at the following address:
Personal Data Protection Officer
Otokar Europe SAS
24 rue du Noyer Parc Les Scientifiques De Roissy Lot A-3